Your message dated Mon, 18 Nov 2013 01:48:27 +0000
with message-id <[email protected]>
and subject line Bug#620760: fixed in fail2ban 0.8.11-1
has caused the Debian Bug report #620760,
regarding fail2ban: dropbear section broken in jail.conf
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
620760: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=620760
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: fail2ban
Version: 0.8.4+svn20110323-1
Severity: normal
So I when upgrading noticed that a conf file I wrote ages ago has been
incorporated into fail2ban. However, the config section in jail.conf is
rather broken.
The default behaviour of the dropbear package is to install an init
script. In this case, the output of dropbear will end up in
/var/log/auth.log as with the normal ssh daemon. However, the current
config file specifies /var/log/dropbear.
/var/log/dropbear is mentioned in the file README.runit in the dropbear
package. However, this is only for when dropbear has been installed as a
daemontools service. Also, /var/log/dropbear is a folder, not a file, so
the actual log-file will be something else. Last but not least,
daemontools uses a different logging format that the regular expressions
in dropbear.conf wouldn't match anyway.
In conclusion, I believe /var/log/dropbear should be changed to
/var/log/auth.log.
Secondly, I believe the line that reads "filter = sshd" in the dropbear
section should read "filter = dropbear".
Lastly, it should probably be heavily emphasised at the top of
jail.conf that the regexes don't match all the attacks that can be made
against dropbear. In particular, they cannot match attacks which use
only an ssh key and not a password (which I see all the time).
It was my hope that I would get a patch I wrote accepted into dropbear
upstream that always printed the IP info of every failed connnection
attempt, but I never managed to do this. This is the output matched by
the commented-out regex.
In it's current state, the dropbear rules might even be considered
slightly dangerous because it gives a false sense of security but does
not protect against all attacks. It's for this reason I never submitted
the file to Debian and to be honest, I think it might be a bad idea for
it to be in there (at least until, one day, dropbear prints ip
information for *all* failed connection attempts).
Francis
--- End Message ---
--- Begin Message ---
Source: fail2ban
Source-Version: 0.8.11-1
We believe that the bug you reported is fixed in the latest version of
fail2ban, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yaroslav Halchenko <[email protected]> (supplier of updated fail2ban
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 17 Nov 2013 17:29:06 -0500
Source: fail2ban
Binary: fail2ban
Architecture: source all
Version: 0.8.11-1
Distribution: unstable
Urgency: low
Maintainer: Yaroslav Halchenko <[email protected]>
Changed-By: Yaroslav Halchenko <[email protected]>
Description:
fail2ban - ban hosts that cause multiple authentication errors
Closes: 620760 648276 668064 696087 709196 711463 719662
Changes:
fail2ban (0.8.11-1) unstable; urgency=low
.
* Fresh upstream release
- this release tightens all shipped filters to preclude
possible injections leading to targetted DoS attacks.
- omitted entry for ~pre release changelog:
- asterisk filter was fixed (Closes: #719662),
- nginx filter/jail added (Closes: #668064)
- better detection of log rotation in polling backend (Closes: #696087)
- includes sever name (uname -n) into subject of sendmail actions
(Closes: #709196)
* debian/jail.conf
- dropbear jail: use dropbear filter (instead of ssh) and monitor
auth.log instead of non-existing /var/log/dropbear (Closes: #620760)
* debian/NEWS
- information for change of default iptables action to REJECT now
(Closes: #711463)
* debian/patches
- changeset_d4f6ca4f8531f332bcb7ce3a89102f60afaaa08e.diff
post-release change to support native proftpd date format which
includes milliseconds (Closes: #648276)
- changeset_ac061155f093464fb6cd2329d3d513b15c68e256.diff
absorbed upstream
Checksums-Sha1:
e54058c52d59b3c68fd88face3cd4d356091ca1b 1215 fail2ban_0.8.11-1.dsc
d38ec5e5b983ef45c87f3324a095df85c2003303 204752 fail2ban_0.8.11.orig.tar.gz
e0eb94b6676caca5de2b5bc8a0ff45ab84aedbcb 33281 fail2ban_0.8.11-1.debian.tar.gz
abed6e51137afa6f215cd867d2c8322b3e6c9fd0 158354 fail2ban_0.8.11-1_all.deb
Checksums-Sha256:
a081a806a4f224361e8d8bc1f5383864e422f75fb6c419bb6b8e47c536309343 1215
fail2ban_0.8.11-1.dsc
e7573583c979222c7461df8c875e8328a6cd0e431e86d3cc4d80b2af3447190f 204752
fail2ban_0.8.11.orig.tar.gz
578a5cee9c5cc871e50d1055e837fc9dedd680d1c4bb2f790e0d1e552e48000f 33281
fail2ban_0.8.11-1.debian.tar.gz
b222e3ba449d0b74f314ca27a582c3a26ae6e7c06c8eba533e3196e164e7f9fc 158354
fail2ban_0.8.11-1_all.deb
Files:
5e466d383c3c63faf9e36b22835fa78f 1215 net optional fail2ban_0.8.11-1.dsc
2182a21c7efd885f373ffc941d11914d 204752 net optional
fail2ban_0.8.11.orig.tar.gz
6a61274ef574d9632c164de5bc9c3365 33281 net optional
fail2ban_0.8.11-1.debian.tar.gz
915aaa972967d87e2bf896864207adbf 158354 net optional fail2ban_0.8.11-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlKJb5sACgkQjRFFY3XAJMgnqQCgrcgK1ddfi6YqucyCrsYL+PSq
NtwAn1qkv2OoMqsprLUiUA8tda5mIOAi
=itjr
-----END PGP SIGNATURE-----
--- End Message ---
